Creation of principal without password

Juliet Kemp j.kemp at
Thu Aug 17 06:22:09 EDT 2006

Fariba wrote:
> Is it possible to create a principal without password in kerberos? Thank 
> you.

You can create a principal with a random key (password) by using the 
-randkey option (i.e. in kadmin, 'addprinc -randkey user').  You can 
then extract this to a keytab, and use the keytab to authorise the user.

Note also that if you create a principal & set the password, then 
extract this principal to a keytab using 'ktadd', the key is randomised 
in the process (so your previous password will no longer work).

I think (not sure!) you *can* also set an empty password, if your 
policies are appropriate, but that would be somewhat insecure!

The manpage for kadmin is helpful.


+ Ms Juliet Kemp                                                +
+ Computer Manager		            star at         +
+ Astrophysics Group                                            +
+ Imperial College                  Tel: +44 (0)20759 47538     +
+ London. SW7 2AZ                   Fax: +44 (0)20759 47541     +

More information about the Kerberos mailing list